It used to be that a large part of owning a cellphone, using it a lot, and being on the road involved hauling around a massive charging unit. When your plan expired, you got a new phone – and along with that came a new car charger, a new brick to plug in at home and a second one to be wrapped up in a ball and shoved in your …
You're talking out of your &£$&
"Given the compute power available in modern superphones, cracking and joining said network is trivial. Android is a real threat here; the number of applications for the Linux ecosystem to do exactly this is staggering. "
Firstly, drop the "superphones" nonsense, nobody is buying it, sorry, you didn't coin a new term.
Is this trivial ? Why, which phones have wireless chipsets that support monitor mode, or even promiscous mode ? Which of them support packet injection ? The closest we have come is a promise that this is possible with neo-pwn on the n900. apart from that, mobile WiFi cracking is best left to your Zaurus or netbook.
Also how is the number of wifi cracking applications staggering ? Really ? You think ? Theres only really two or three, four at a push, that are worth using. Again, these are only useful on devices with wireless network cards that can at Least grab raw packets, and only practical with wireless network cards that can grab raw packets and inject raw packets..... Force a WPA handshake, etc.
Also, it doesn't matter how many there are, one good one is enough, a staggering number of useless ones would still be useless.
My Desire cracks WEP just fine.
Most Android phones can do it
Most of the Android phones I've seen have the Broadcom bcm4329 chip, which works just fine for all your hacking needs... sure, they might not be as fast as a souped-up desktop, but then, do you really need them to be?
As for a staggering amount of applications to crack wifi... you don't think three or four decent apps is staggering? Even five years ago, a single app to crack wifi on a phone would have been mind-blowing. Maybe you need to adjust your expectations a bit :-)
Course, people don't use it, as it's a pain in the ass to set up. But once it's up and running, your little network node won't let you hook in, if you can't authenticate.
Wonderful bit of security. Pity noone uses it. Would solve a great many attacks. From phones, laptops, you name it!
"few minutes with a target computer, I can boot it up into the Linux distro of my choice."
Boot from removable media: Disabled.
I find it truly terrifying how few people do this. It seems everyone forgets to set the system to “boot from hard drive only” and then password protect the BIOS. Even those few that password protect the BIOS still seem to leave the things configured to boot “CD-ROM, Removable, Disk, Network.”
I am not saying that a phone pwns everything. I am saying that they are now at least as useful as a netbook or most laptops at getting the job done. Proper security will of course minimise or even eliminate the threat...
...but they are a threat. Exactly as much as someone wandering around your office with an uninspected and uncontrolled Laptop would be.
Not all boards support it. Also; it can take a lot longer to get into a system and do this than you might want to expend. Furthermore, you can always pull out a USB stick and reboot a system you were working on in a flash if someone walks down the hall. Try explaining a disassembled PC away. ;)
I think that CMOS resets are still time consuming enough and awkward-looking enough to be dismissed as a possibility in most situations. The number of folks who know how to toss a Linux distro on their pen drive however are growing…
It's trivial to reset the BIOS and clear passwords, too. No matter how "locked down" a computer is, there's a way around just about everything. Physical access to a machine means that machine is compromised. Now, if you lock the desktop in a secure case that can't be opened without some work... that should buy you a few minutes, at least.
Got better things to do
than to muddle around with TUI menuitis and whatnot. Now, if only there existed something like openboot or some OS-based tool that'd let you update the nvram from the command line (scriptable!)....
Probably time to inquire with all those vendors whether they will finally be kind enough to retrieve their heads out from their behinds and offer shipping with coreboot and a suitable payload. That'd be more of an improvement than the same menu based stuff that you now can poke with your mouse. Oh the innovation. Oh how useful. But it's not scriptable so it can't be done in the same process that netboot-installs the box with a suitable image and all the apps prescribed for the profile.
"I find it truly terrifying how few people do this."
I don't. You can't plug in a USB stick without physical access, and if your attacker has physical access then you are toast. Why bother with the bios-level security theatre?
"I think that CMOS resets are still time consuming enough and awkward-looking enough..."
Worse yet, the network admin will know the CMOS was reset (and yes, all boards support it, just pop the battery). If the CMOS was reset, then just review the security tapes (yes, anyone paranoid about booting from a USB device is likely to have tapes) to see who did it. They likely have monitoring on their firewall and can see which IP the VPN tunnel (if used) went to, which can help determine the benefactor. Of course, at that point you can press criminal charges for tampering and perhaps corporate espionage. Enough for a warrant for the connected-to network machines.
Anyway, a truly paranoid environment will have their PCs under lock and key (non-user-accessible), or at the very least be running a VDI setup of some sort.
Of course, WPA2 is still "safe" for now. The article points out that WEP and WPA(1) is easily crackable.
Now, extreme potentials out of the way, this article points out how easy it is for most networks to be penetrated and siphoned by an insider. Short of making your user's job impossible to do (blocking access to data), or extreme measures (VM farm with thin clients under lock and key, no periphrials), you'll likely always have some vulnerability to be exploited by the truly industrious.
Could well be argued this would not be practical to carry out clandestinely in a company office.
Anyway, that's where physical security comes in. Kensington or other locks will prevent access to the interior of the chassis.
Also, many desktops (e.g. Dell) have chassis intrusion switches which if set up properly with management cards can be used to alert an admin. Sure, you'd only pay extra for such things if security was paramount in the organisation.
...go on then, reset a locked cmos on a laptop. You have 5 minutes. Oh sorry I forgot, it's 1985.
Oh you mean a server in a a coded secured room with cameras?
Oh silly me a pc, well you could enable case lock (which many support) or i dunno, a little lock on the lid.
Oh hold so you somehow reset the cmos, booted and now you have access to a drive with full disk encryption.
Oh sorry your talking about CONSUMER / Micky mouse mom & pop business pc's. Silly me....
No, not all boards support CMOS reset. There are several available for the paranoid with the batteries soldered on. Specifically so you can't reset them..
Folk laugh at the idea of an all-powerful god being able to make a rock so heavy he can't lift it.
And then they want a secure system that they can still get into if they lose the keys.
hence the saying (as Jones would say) "there's nowt as queer as folk". (Of course it might not be the same folk in line 1 as in line 2, blah blah, your universe may vary, etc)
Lock the key in a safe.
Then put the safe in a room with at least two types of lock.
Then give the keys to as many different people as there are keys.
Vary the number of locks, keys and people depending on the security/availability.
We have a backup administrative user. The password for which is written down on a piece of paper and kept in a saftey deposit box at the bank that the senior staff have access to if something Really Bad Happens. I believe it's also where critical things like insurance documents and other things required in case of Emergency are kept.
My personal safety deposit box contains my will, insurance information, etc. as well. (Along with whatever bits of precious I own.) Doesn't everyone do this? Banks are kind of paid to take the "physical security" bits off your hands...
Packet injection? Really? As far as I've tested locally, most networks around here are still on WEP. I can listen in on my ageing WM6 Dell Axim PDA, and pick up enough traffic to crack the encryption. Then I can also snoop as much as I want, logging it all from my back pocket and taking it home for Wireshark or some equivalent app to crunch into useful data.
Cracking WEP without reinjecting packets will take you weeks on a network with "normal" levels of traffic, VS 15 mins if you can inject packets. Like I said its about being being feasable. Sure without injecting packets you can collect IV's at a slow slow rate and get enough to crack using PTW in a reasonable time but not in fact in the amount of time a mobile battery lasts for ;)
Other guy who can crack WEP on his Desire ? Fantastic news, I'm off to Google that, any links or sources for me to go to ?
I should also point out that a great many of the attacks against the local system I have been able to come up with using my phone are thwarted by some kinds of disk encryption. It just goes to show that there are a lot of good answers already in existence to the kinds of security problems that people wandering around with phones/laptops/flash drives/etc. can pose to your systems.
However, they only work if you purchase and – critically – actually implement them.
Bah, purchase. TrueCrypt. Just be sure to leave a donation for them on the way out.
At the very least: BitLocker (yes, it sickens me to even mention it, but better than nothing [arguably]).
full disk encryption
As a consultant I get to see lots of organisations, and pretty much every one I've seen in the last five years or so have used full disk encryption, either SafeBoot, Bitlocker, or PGP etc
And that's in Healthcare, consumer goods, insurance, telcos etc. Every. Single. One.
Has your "superphone" now got the ability to crack that and decrypt the drive's contents? Or your toy linux distro?
And as for plugging in to the cabled network - only a few months ago I accidentally plugged my laptop into the internal network rather than the external internet facing one. As it wasn't a registered machine I had had security stood by my desk within four minutes asking what I was doing. OK, you may be able to spoof the mac address, can you get it to join the domain with valid user credentials too?
In short you have the ability to "crack" into systems which any self respecting company secured years ago and therefore are likely to be worthless.
HA ha ha haha
"... systems which any self respecting company secured years ago ..."
That's where it falls down, isn't it? First you need to wake them up from their peaceful slumber by showing them the nightmares they're ignorant of... after the white faces and brown pants and gibbering spell, then you can talk to them. Which is I think what Trevor was saying?
I must be living in a different universe; mainly banks and insurances. Yes, most of them implemented disk encryption - on portable computers (not even all did that!). Only a few had encrypted drives on all PCs. That said, time is changing and recently one of the large, lethargically retarded companies moved to the world of all drives encryption outside data centres (though I doubt their initiative really grasped all affected drives yet).
You attack encrypted systems while they are booted and the key is in memory. Pop open the case and look for a Firewire header you can slip either a laptop or an iPod with custom firmware onto. At that point, you can either carry on as you wish, or lift the key from memory for use later. You don't even have to unlock the workstation if you don't want to, just inject commands or read memory directly.
I carry nail clippers in my tool kit to remove the header pins.
Living in a world of make-believe much?
I've worked for a few FTSE 100 companies (in manufacturing, healthcare, IT Services and major high street retailers) in the last decade. Not one of them used any kind of on-device encryption. Only one used bios or boot passwords. None of them had any kind of monitoring of, or restrictions on use of, their (wired)LAN or WAN infrastructure that would pick up intrusion. None of them had/have any kind of proper validation of user's identities at their servicedesks so if you say you're someone, they take your word for it and will do as you ask.
Oddly, they've all had excellent WiFi security though.. (as far as these things go anyway)
You must have been SERIOUSLY lucky to work in all the places you've seen such wonderful practices, as I assure you my working week is one great big wince of pain after another as yet more gaping holes present themselves to me, and anyone else who cares to have a poke around. It's frankly scary the amount of damage you could do to the biggest organisations in the country if you fancied it, and could be arsed with the rather light touch social engineering that would be required to split them wide open...
I wasn't aware
there were ethernet-to-usb devices that connected as the master; the microusb on a phone is usually a slave port.
If you insist on taking over a box with wifi but can't use usb, you might set up the phone as an AP, re-point the box, transfer in some "linux from dos" contraption, and boot that. Might have to snatch admin rights somehow first, of course.
On another note, do usb-slave to esata or firewire converters exist?
No. I'm pretty sure that if it's a USB slave then it cannot host any devices. It has to connect to a USB root hub to do anything.
USB Host mode
I have had a lot of people email me asking about getting a superphone to use an Ethernet port. (Some have outright accused me of lying; that it can't be done.) There are calls to detail the step-by-step procedure on how to get it done.
I'll be 100% honest with everyone here when I say "I don't remember how I did it." I have been hacking at the thing for so long, I cannot honestly remember which bit of code I slung to get it to work. I can give you a starting point, however. I started this journey here; http://forum.xda-developers.com/showthread.php?t=702742
Here is where you can get the bit of precious that lets you put your desire into USB host mode. This is where you get the ability to attach devices and make the thing run wild. I have a friend with an APad orphan M16. This unit comes with a USB Ethernet dongle that /works/ with its Android. I lifted the drivers from there and with some work got it to work on the Desire. (I required a custom modified USB cable that derived the power from a battery pack.)
The entire project is nowhere near finished and ready. I would not at this time be very interested in attaching my name to it. (El Reg commenttards are notoriously brutal when it comes to any project that isn’t absolutely perfect without any observable flaws. Even then, a dozen or so with start in with the “what’s the point.”) I’m just a sysadmin; not the kind of hardware or software hacker that does really neat things like write Cyanogenmod, cracks a PS3 or creates a one-click jailbreaker for some piece of iTat.
So I politely decline to do the write-up on my efforts; they are at a very early stage…and others within the Android community are much further along. I will leave the interested with some valuable resources that helped me along the way:
I hope that helps some truly interested soul on his path to hardware hacking glory!
You can't fight physical access
If they don't work for us, they don't get access to anything on our network. Maybe you can sit down at a PC, but one of us will be watching you. Even BIOS passwords etc. isn't going to be 100%, so why trust anyone?
We have a WiFi network for guests if they need it, but that's totally separate.
You cannot fight a determined attacker with physical access.
...but you can make the bugger work for it.
Re if they don't work for us...
Ah yes, and you trust all of the 40'000 odd employees?! The same people which committed most of the frauds and security breaches I've encountered...
This is why I superglue shut the USB ports on all my computers and still only use PS/2 connectors for keyboards and mice!
I write about the whole superphone-as-cracking-tool not because I think it’s a theoretical exercise worth mental masturbation. I write about this because I have had seven separate incidents in the past month where I have been legitimately called upon to break into someone’s network/local computer and the only tools I had available were my HTC Desire, a MicroUSB cable and my MicroSD to USB adapter.
I threw the USB-to-Ethernet dohicky in there largely because right after I rooted my phone I putzed about with the USB port going “hmm, what can I make this blinking thing do?” I did get it to use a USB Ethernet NIC…with much effort. I have however not been able to get the bloody thing into promiscuous mode. Yet. I do not doubt for an instant that someone with a Nokia device and way more skill has already gotten light years past me on this.
So the risks of superphones aren’t theoretical for me. I’ve had to actually use them in practice.
For all the jokes about paranoia, there actually are out there creepy dudes who have their systems set up to reboot into an infinite DBAN loop based on either remote commands or unauthorised physical entry. I have actually met folks like that. Security is a balance; like hell I'd go that far at my day job. Working at a bank, however...it would be a serious consideration.
The part that hurts is that the paranoid blokes with the e-security fetish that I know are all sysadmins for post-secondary institutions. Faculty admins largely responsible for the client side and a few scattered local file storage systems. Creepy folk. I worry about the kind of mischief some of the sysadmins working in the office right next door could get up to if they so chose. These folks worry about three-letter agencies.
We’re talking people who with a straight face argue that everyone everywhere should be running line-of-business applications from within hidden partitions inside encrypted files residing on a fully encrypted drive whilst forcing encryption upon all web and email services. Forget passwords; they prefer minimum three-factor authentication using a password, physical token and biometrics. For a professor to update a schedule on a bloody secure intranet! That’s paranoid.
I think they’re way, WAY past supergluing the USB ports shut. ;)
Okay, you win
I've worked with some paranoid security guys, but that's taking it to extremes. OTOH, that's kind of the nature of academia, so it makes sense.
Most data leaks are inside jobs anyhow. Someone with a grudge against the company or paid off. The people working inside are the people with access. Once that encrypted hard disk is up and running and open to the users in that company the data is free to go where it pleases (dependent on how much access those employees have to the data of course).
"Firstly, drop the "superphones" nonsense, nobody is buying it, sorry, you didn't coin a new term."
That term's already coined, actually. These newer phones that can decode HD video on the phone, and tend to have HDMI outputs and such, have been referred to as superphones for a while now. You're being too hard on the author I think.
@Henry Wertz 1
You get used to it. After seventy some odd articles I've (finally) learned the truth: there's at least one in every comment thread. Some folks are just contrarian. What makes this particular gripe amusing to me is that I never set out to "coin a term" at all. I see a notable difference between smartphones and superphones in terms of the attack risk they represent. As a systems administrator defending my turf, they are two completely different animals.
Other parts of the internets have been calling these new gizmos "superphones," but it's largely been a marketing term. NO attempts to actually define it have taken place. I figured, "what the hell; I lack a better term for this new class of devices." At least I defined what I believed the term represented. I'll be happy to use a different term if anyone can come up with something better.
The issue I think the commenter takes is that he doesn't believe there is a separation between old-school smartphones and modern superphones. We will have to remain at odds on that, as I must respectfully disagree with him.
"Pocket PC" is kind of taken.
What was a "smartphone" a year or two ago - one that could do more than make calls and send and receive SMS - is now a "feature phone". If you have a camera, a web browser, a media player, maybe Java or something similar, but you aren't Android or iPhone or "Windows Mobile", then you're a 'feature phone".
I'd still call them smartphones, why do we need something after smart, but what the heck.
Some other ideas:
Powerphones (for the sort of people whose job of responsibility and respect but not necessarily actual achievement impels them to buy products and practise habits with "power" in the name to distract them from the fact that their overall net contribution to the happiness of the human race is pretty much zero)
Information appliances (if you work on design for a major computing company but not on the fun side of stuff)
Phones with benefits (I see that in Android's "Health" section there's a "Vibrate" app. Apparently it only does that thing, it makes the device vibrate, that's all)
I don't actually mind "Powerphones." If I remember after running errands today, I'll plead with Her Wonderful Self and see if she'd be so kind as to set up a Register Reader Poll with a few possibilities. Maybe we the commenters can put the issue to rest once and for all?
May backfire, though
Telling the suits about the dangers of smartphones might backfire, though. I know a few companies (have to visit them occasionally) where nobody (no visitor, no worker, no CEO) is allowed to carry a phone with a camera. It would be much easier (and cheaper) to extend this prohibition to smartphones with WiFi and/or USB connectors than implementing a decent security setup.
Oh, and BTW - the USB ports on the computers in these companies usually work and accept my stick :-)
The old solution
Lock the room.
It's what Grandpa used to say, and you gotta honor the timeless wisdom of age!
"Your Star Wars quoted passphrase is weak, Obi-Wan."
Although WPA2 is the correct choice and you should look into enterprise configuration, I'm not aware that WPA is particularly a weaker standard. Rather, WPA means "Released before the WPA !standard was actually ready" - in effect, as far as interoperability goes, those are beta-release products, and WPA2 is the finished article. But basically the same thing.
My idea to set a passphrase is to choose the first word on each line of a randomly chosen book page or newspaper page, but I don't know if that stands up to modern attacks. And apparently, Windows 7 administrator users can quite easily view the PC's pre-shared key passphrase. Which I suppose means that a crew of trustworthy techs have to go round changing them, and you'll sniff or honeypot for anybody using the old one - instant dismissal, say.